Last week, Nathan Bruschi introduced the new concept of “cyber bonds,” which seeks to deter governments from engaging in harmful transnational cyberspace activities by hurting them financially if they do so. Simply put, countries will be invested enough in each other’s cyber insurance that any cyberspace action causing harm to one country will result in financial loss to the attacking country.
The idea itself is both novel and straightforward — states will offer standardized cyber insurance policies to a subset of entities, whether private businesses or critical infrastructure companies, the premiums of which will be paid to a national insurance pool that will be used to compensate insurance holders who will become targets of cyberattacks. States will then create country-specific cyber bonds to exchange among themselves in an untradeable basket form (i.e., investing countries will not be able to trade these bonds to avoid devaluation). These cyber bonds will be assimilated in each country’s sovereign wealth fund, which is normally responsible for paying out surpluses and pensions. In a sense, each country will own an untradeable basket of cyber bonds belonging to a multitude of nations. Bruschi argues that, as a result, countries will refrain from engaging in cyberattacks against other participating states, since such action would devalue the cyber bond of the victim country, resulting in massive financial loss to the attacking country. For example, he says, “Vladimir Putin would have to worry about erasing billions of dollars from his own country’s pension funds, possibly leading to riots in the streets.”
The concept of cyber bonds is quite compelling, in a way: It is a “no first use” mechanism, deriving its efficacy from the possible financial gains and losses that are associated with cyberattacks in a particular context. Arguably, it is also a “no subsequent use” mechanism, since a victim country may be compelled to restrain its retaliation to a cyberattack to avoid further bonds’ devaluation. However, there are three main shortcomings which may make this mechanism ineffective in deterring transnational cyberspace threats.
Assumption of Consensus
The premise that states will be persuaded to purchase each other’s cyber bonds is flawed, since states are already divided when it comes to the most basic questions relating to the regulation of cyberspace in the transnational context. Cyberspace doctrines vastly diverge, making consensus either impractical or, in certain circumstances, undesirable due to major compromises. Therefore, assuming that states will agree to the cyber bonds arrangement is somewhat of a leap. Geopolitical fragmentation relating to cyberspace doctrines is already making a consensus on the fundamental issues unattainable.
Furthermore, some states actually benefit from the ambiguity and opaqueness of the legal status of cyberattacks, as well as their consequences. Those uncharted waters serve states strategically since they enjoy a relative advantage in having carte blanche when it comes to transnational cyberspace activities.
As a result, this self-limiting method to deal with harmful cyberspace activities, which also has a price tag attached, may not adequately encourage states’ participation. In fact, assuming some consensus, states are more likely to agree on rules of behavior in cyberspace in other forms (violation of which will not entail monetary compensation). For example, those rules may exist in bilateral or multilateral treaties, or simply in a non-binding form like the UN Group of Governmental Experts Report, which stimulates important discussions on the limits of state sponsored activities in cyberspace, thus advancing mutual understanding.
Absence of Normative Background
Even if we manage to reach a consensus, and states universally opt in into the cyber bonds mechanism, the normative question on the rules of behavior in cyberspace remains unanswered. The cyber bonds mechanism on its own cannot succeed if states do not know what activities will devaluate their cyber bonds. Is espionage “harmful”? What about simply discovering and stockpiling zero-day exploits for future use?
An insurance policy may answer some of these questions by listing the types of cyberattacks that entitle the insurance holder to monetary compensation. However, a closed list of cyber-harms is unlikely to capture the myriad threats emanating from cyberspace. Drawing the line between “harmful activities” and “non-harmful activities” is somewhat arbitrary, and may leave an important subset of cyberattacks outside of the scope of insurance policies, encouraging states to engage in non-covered forms of cyber espionage and information warfare.
Moreover, even if a flawless list of harmful cyberspace activities is attainable, the remaining question is one of efficacy. The deterrent power of financial loss is limited in times of war and conflict, as well as when national interests outweigh the financial loss due to cyber bonds devaluation. That leads me to my third and final point — the scope of application.
Scope of Application
“À la guerre comme à la guerre,” goes the infamous saying, and it is utterly relevant to cyberattacks. The main challenge here is that the types of cyberattacks that will be prevented by the cyber bonds mechanism may prove to be narrower than expected. In situations of immediate national peril requiring self-preservation measures, the awareness that a particular type of cyberattack will have a direct economic impact is unlikely to deter countries from using it. Those are the types of cyberattacks that experts sometimes refer to as “Cyber 9/11” or “Cyber Pearl Harbor,” emphasizing the catastrophic nature of such incidents. These catastrophic cyberattacks have not yet taken place, but they represent a legitimate and serious national security threat.
In addition, even though states involved in the cyber bonds scheme will have an incentive to enforce the law against individuals and groups who may target other states with cyberattacks, the capacity to do so is limited when very sophisticated groups are involved, such as cyber terrorists or hacktivists who can easily mask their identities. That challenge is exacerbated in states that do not hold the expertise or resources to identify and prosecute these actors. That could mean that only a relatively small subset of states will be able to participate in the scheme, and the devaluation of their cyber bonds could occur rather easily, if a highly sophisticated and harmful cyberattack is carried out beyond their reach.
The Road Ahead: A Hybrid Model?
The purpose of this post is not to discredit the concept of cyber bonds, but rather to highlight the particular challenges that may affect the efficacy of the concept. The possible solution to overcome these challenges is to consider a model where cyber bonds work alongside other instruments — for instance, rules of conduct for transnational cyberspace activities, or a centralized international authority to enforce rules and monitor transnational cyberspace activities.
Interestingly, Bruschi very aptly recognizes that in the annexation of Crimea, Russia was not deterred by the possible ad hoc outcome of US-EU sanctions against it. Despite having major economic impact, these sanctions did not compel Russia to surrender Crimea or to discontinue its involvement in the armed conflict in Ukraine. In my view, that would be the case with cyber bonds as well. Certain unilateral acts by states lack an objective economic rationale, and expecting states to be perfectly predictable in accordance with concepts of behavioral economics is questionable.
The uncertainty is not whether a cyber bonds system will work, but for how long it will work before it collapses due to major disagreements or an emerging armed conflict. For cyber bonds to work, the fundamental obstacles of a lack of consensus, absence of a normative framework, and the narrow scope of applicability need to be resolved. Addressing these obstacles will strengthen the cyber bonds concept, and will enhance its credibility and efficacy.